如何在ZAP停靠库中执行基于表单的身份验证而不是无头扫描
如何在ZAP停靠库中执行基于表单的身份验证而不是无头扫描
提问于 2021-02-17 18:16:48
我正在对我的目标主机进行zap码头全面扫描。然而,在调试过程中,我发现我错过了向我的web应用程序提供登录信息,而web应用程序也是我的目标主机。步骤如下-
- 网络应用程序在启动时不登陆登录页面,而是登陆设置应用程序或安装细节等。一旦我们提供了所有细节,然后设置了一些调查问卷,那么登录page.
- Initially上的应用程序就会在jenkins阶段下运行,在上面的命令zap中运行
sh 'docker run -v /<Jenkins Path>/Reports:/zap/wrk/:rw -t docker.io/owasp/zap2docker-stable zap-full-scan.py -t https://<host>:<IP>/ -g gen.conf -r testreport.html',用于扫描直到https://://login并结束扫描。然后,当我开始探索更多关于ZAP登录到web应用程序和执行扫描的内容时,我遇到了基于https://github.com/ICTU/zap-baseline和其他基于表单的zap的稳定构建的身份验证解决方案,并且当我点击命令docker run --rm -v /<Path>/Reports:/zap/wrk/:rw -t ictu/zap2docker-weekly zap-full-scan.py -I -j -m 10 -T 60 -t https://<host>:<port>-r testreport.html --hook=/zap/auth_hook.py -z "auth.loginurl=https://<ip>:<port>/<page>/login auth.username="abc" auth.password="abc123" auth.username_field="j_username" auth.password_field="j_password" auth.submit_field="j_submit""'
时也出现了以下错误。
错误
14593 [ZAP-daemon] INFO org.zaproxy.zap.extension.dynssl.ExtensionDynSSL - Creating new root CA certificate
16732 [ZAP-daemon] INFO org.zaproxy.zap.extension.dynssl.ExtensionDynSSL - New root CA certificate created
16737 [ZAP-daemon] ERROR org.zaproxy.zap.DaemonBootstrap - File not found 'auth.loginurl=https://<host>:<port>/<module>/login'
java.lang.Exception: File not found 'auth.loginurl=https://<host>:<port>/<module>/login'
at org.parosproxy.paros.CommandLine.parse(CommandLine.java:304) ~[zap-D-2021-02-01.jar:D-2021-02-01]
at org.parosproxy.paros.extension.ExtensionLoader.hookCommandLineListener(ExtensionLoader.java:1049) ~[zap-D-2021-02-01.jar:D-2021-02-01]
at org.zaproxy.zap.DaemonBootstrap$1.run(DaemonBootstrap.java:85) [zap-D-2021-02-01.jar:D-2021-02-01]
at java.lang.Thread.run(Thread.java:834) [?:?]
16751 [ZAP-daemon] INFO org.zaproxy.zap.DaemonBootstrap - ZAP is now listening on 0.0.0.0:54624
56762 [ZAP-ProxyThread-11] INFO org.zaproxy.zap.extension.httpsessions.HttpSessionsSite - Setting new active session for site '<IP>:<PORT>': HttpSession [name=auth-session, active=false, tokenValues='']
56807 [ZAP-ProxyThread-13] INFO org.zaproxy.zap.extension.httpsessions.HttpSessionsSite - Setting new active session for site '<IP>:<PORT>': HttpSession [name=auth-session, active=true, tokenValues='JSESSIONID=<sessionid>']
67128 [ZAP-SpiderInitThread-0] INFO org.zaproxy.zap.extension.spider.SpiderThread - Starting spidering scan on Context: ctx-zap-docker at Wed Feb 17 16:56:10 UTC 2021
67134 [ZAP-SpiderInitThread-0] INFO org.zaproxy.zap.spider.Spider - Spider initializing...
67212 [ZAP-SpiderInitThread-0] INFO org.zaproxy.zap.spider.Spider - Starting spider...
72093 [ZAP-PassiveScanner] INFO org.zaproxy.zap.extension.pscan.PassiveScanThread - Disabling passive scanner Absence of Anti-CSRF Tokens as it has raised more than 10 alerts.是否有其他方法可以在zap码头上使用登录或基于表单的身份验证来执行全扫描而不是无头扫描?另外,关于#1 -我如何执行所有的初始设置和土地丢失页?或者如何绕过初始安装程序并直接登陆到登录页,但是,除非安装初始安装页面登录页未启用或无法跳转到/ login /
我还发现了下面的错误-
660506 [Thread-10] INFO org.parosproxy.paros.core.scanner.HostProcess - Scanning 541 node(s) from https://<ip>:<port>
660508 [Thread-10] INFO org.parosproxy.paros.core.scanner.HostProcess - start host https://<ip>:<port> | PathTraversalScanRule strength LOW threshold MEDIUM
#
# A fatal error has been detected by the Java Runtime Environment:
#
# SIGBUS (0x7) at pc=0x00007fd5508d72b5, pid=9, tid=2998
#
# JRE version: OpenJDK Runtime Environment (11.0.9.1+1) (build 11.0.9.1+1-Ubuntu-0ubuntu1.20.04)
# Java VM: OpenJDK 64-Bit Server VM (11.0.9.1+1-Ubuntu-0ubuntu1.20.04, mixed mode, sharing, tiered, compressed oops, g1 gc, linux-amd64)
# Problematic frame:
# v ~StubRoutines::jlong_disjoint_arraycopy
#
# Core dump will be written. Default location: Core dumps may be processed with "/usr/share/apport/apport %p %s %c %d %P %E" (or dumping to /zap/core.9)
#
# An error report file with more information is saved as:
# /zap/hs_err_pid9.log
Compiled method (c2) 1152543 17502 ! 4 java.nio.DirectByteBuffer::put (151 bytes)
total in heap [0x00007fd558d4d710,0x00007fd558d4e020] = 2320
relocation [0x00007fd558d4d888,0x00007fd558d4d8b8] = 48
main code [0x00007fd558d4d8c0,0x00007fd558d4dbc0] = 768
stub code [0x00007fd558d4dbc0,0x00007fd558d4dbe8] = 40
oops [0x00007fd558d4dbe8,0x00007fd558d4dbf0] = 8
metadata [0x00007fd558d4dbf0,0x00007fd558d4dc60] = 112
scopes data [0x00007fd558d4dc60,0x00007fd558d4df08] = 680
scopes pcs [0x00007fd558d4df08,0x00007fd558d4dfe8] = 224
dependencies [0x00007fd558d4dfe8,0x00007fd558d4dff0] = 8
handler table [0x00007fd558d4dff0,0x00007fd558d4e008] = 24
nul chk table [0x00007fd558d4e008,0x00007fd558d4e020] = 24
Compiled method (c1) 1152543 15814 3 org.hsqldb.rowio.RowOutputBinaryEncode::writeData (93 bytes)
total in heap [0x00007fd552311990,0x00007fd552312ba8] = 4632
relocation [0x00007fd552311b08,0x00007fd552311bf0] = 232
main code [0x00007fd552311c00,0x00007fd5523127c0] = 3008
stub code [0x00007fd5523127c0,0x00007fd552312860] = 160
oops [0x00007fd552312860,0x00007fd552312868] = 8
metadata [0x00007fd552312868,0x00007fd5523128a8] = 64
scopes data [0x00007fd5523128a8,0x00007fd552312a18] = 368
scopes pcs [0x00007fd552312a18,0x00007fd552312b78] = 352
dependencies [0x00007fd552312b78,0x00007fd552312b80] = 8
nul chk table [0x00007fd552312b80,0x00007fd552312ba8] = 40
Could not load hsdis-amd64.so; library not loadable; PrintAssembly is disabled
#
# If you would like to submit a bug report, please visit:
# https://bugs.launchpad.net/ubuntu/+source/openjdk-lts
#回答 1
Stack Overflow用户
发布于 2021-02-18 09:17:30
我总是建议人们使用ZAP桌面来设置和测试身份验证--如果没有UI,很难做到这一点。一旦您让它在桌面上工作,您就可以导出这些设置,并测试它们是否仍然在您的自动化环境中工作。我录制了一组关于ZAP自动化和身份验证的视频:https://www.zaproxy.org/addo-auth-workshop/,现在正在录制更多的视频,作为深度潜水系列的一部分:https://www.zaproxy.org/zap-deep-dive/
一步一步地去做--一次做每件事都是没有意义的,因为第一次工作的可能性很小,而且当你试图解决问题的时候,你也不知道该从哪里开始。
页面原文内容由Stack Overflow提供。腾讯云小微IT领域专用引擎提供翻译支持
原文链接:
https://stackoverflow.com/questions/66247714
复制相关文章
相似问题
腾讯云开发者
Copyright © 2013 - 2026 Tencent Cloud. All Rights Reserved. 腾讯云 版权所有
深圳市腾讯计算机系统有限公司 ICP备案/许可证号:粤B2-20090059 
粤公网安备44030502008569号
腾讯云计算(北京)有限责任公司 京ICP证150476号 | 京ICP备11018762号